When installing or executing an app on a smartphone, we grant it access to part of our (possibly confidential) data stored in the device. Traditional information-flow analyses aim to detect whether such information is leaked by the app to the external (untrusted) environment. The static analyser we present in this paper goes one step further. Its aim is to trace not only if information is possibly leaked (as this is almost always the case), but also how relevant such a leakage might become, as an under- and over-approximation of the actual degree of values degradation. The analysis captures both explicit dependences and implicit dependences, in an integrated approach. The analyser is built within the Abstract Interpretation framework on top of our previous work on data-centric semantics for verification of privacy policy compliance by mobile applications. Results of the experimental analysis on significant samples of the DroidBench library are also discussed.

DAPA: Degradation-Aware Privacy Analysis of Android Apps

CORTESI, Agostino;Ferrara, Pietro;Steffinlongo, Enrico
2016-01-01

Abstract

When installing or executing an app on a smartphone, we grant it access to part of our (possibly confidential) data stored in the device. Traditional information-flow analyses aim to detect whether such information is leaked by the app to the external (untrusted) environment. The static analyser we present in this paper goes one step further. Its aim is to trace not only if information is possibly leaked (as this is almost always the case), but also how relevant such a leakage might become, as an under- and over-approximation of the actual degree of values degradation. The analysis captures both explicit dependences and implicit dependences, in an integrated approach. The analyser is built within the Abstract Interpretation framework on top of our previous work on data-centric semantics for verification of privacy policy compliance by mobile applications. Results of the experimental analysis on significant samples of the DroidBench library are also discussed.
2016
Security and Trust Management, Lecture Notes in Computer Science, Volume 9871
File in questo prodotto:
File Dimensione Formato  
STM_2016_printed_article.pdf

non disponibili

Tipologia: Documento in Post-print
Licenza: Accesso chiuso-personale
Dimensione 1.29 MB
Formato Adobe PDF
1.29 MB Adobe PDF   Visualizza/Apri

I documenti in ARCA sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/10278/3684287
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 10
  • ???jsp.display-item.citation.isi??? 8
social impact